What is the difference between vscode remote-ssh and remote-tunnel connections

Question

How does VSCODE's Remote SSH compare against Remote Tunnels for development in terms of speed and code protection?

At a glance, it appears that SSH shares the workload (extension) across both machines

While the Remote Tunnel works entirely on the remote/server machine

Does Remote Tunnel connect both machines over the internet? How does it impact speed?

Is Remote SSH always preferable when it is possible?

Answer 1

Remote Tunnels VS Remote Development VS Code Server

as mentioned in code.visualstudio.com

Visual Studio Code Remote Development allows you to use a container, remote machine, or the Windows Subsystem for Linux (WSL) as a full-featured development environment.

Remote Development lets your local VS Code installation transparently interact with source code and runtime environments on other machines (whether virtual or physical) by moving the execution of certain commands to a "remote server", the VS Code Server. The VS Code Server is quickly installed by VS Code when you connect to a remote endpoint and can host extensions that interact directly with the remote workspace, machine, and file system.

We've released this VS Code Server backend component as a service you can run yourself (which you may read more about in its documentation), rather than it only being solely installed and managed by the Remote Development extensions.

---

Accessing the VS Code Server involves a few components:

The VS Code Server: Backend server that makes VS Code remote experiences possible.

• Remote Tunnels extension: Extension that facilitates the connection to the
• remote machine, where you have an instance of the server running.

Answer 2

"code protection": this is followed by microsoft/vscode-remote-release issue 6608, but without official documentation (yet).

Issue 8110 gives an example of using tunnel instead of SSH:

I'm using the code tunnel on a multi-node HPC cluster.
This means that I can run it from any number of machines (depending on where my job is scheduled), but all share the same NFS-mounted home directory.

However, I've noticed that the generated token is tied to a specific machine: if I run a new code tunnel from a different machine, it will give the prompt:

To grant access to the server, please log into https://github.com/login/device 
and use code XXXX-XXXX

This appears to modify the ~/.vscode-cli/token.json file.
If I run code tunnel again from the same machine, I don't see the prompt, but I do if I change machines (including ones previously authenticated).

With confirmation from Microsoft:

The token secret is encrypted(/obfuscated) using information specific to the machine. We do not currently support sharing this between multiple machines.

The obfuscation is used to provide some modicum of security on systems with more permissive keychains, i.e. ones that don't segregate secrets between different consuming applications on a system level.
See microsoft/vscode@cli/src/auth.rs

This was fixed with PR 175940.

All this points to a different encryption mechanism than SSH.